On 7/28/06, whistles <4whistles@gmail.com> wrote:
On 7/27/06, n3td3v <xploitable@gmail.com> wrote:
> Introduction:
>
> If it wasn't for my Fool-Disclosure thread
> http://groups.google.com/group/n3td3v/browse_thread/thread/c700b86a2c70e4cb
> about F-Secure you can bet this http://www.securityfocus.com/brief/264
> article wouldn't be on Securityfocus.com right now, and that is the
> point of what I was upto.
>
--snipped rambling grandiose blathering
You have saved the world again N3td3v, Congrats and many thanks from a
mere mortal!!!!!
I have socially engineered him for what his company is worth, nothing
but drama queens who pretend theres a XSS worm threat when there
isn't.
The only worm ever to appear with XSS was a harmless Myspace worm, yet
both companies are saying things are critical and that the internet is
rife with wormable XSS flaws, just to advertise to any would-be
attacker who didn't know, to make sure they know now.
There wasn't originally a threat in reality, but you can be sure
they've just created a threat by talking up the attack vector of XSS
worms on social network sites.
F-Secure was originally in the wrong to report their recent "Your new
friend is a worm" blog entry, but Securityfocus was even more in the
wrong by copying their stance and acting in the same bad taste as
F-Secure.
You can bet they'll be an XSS worm on a social network doing something
malicious in the next 6 to 12 months now, and you have F-Secure and
Securityfocus to thank.
This is the damage the two irresponsible vendors have the ability to
cause by reporting on false postiive security threats, just to
encourage security incidents and encourage "rent a quote" people to
play a lip service song on their hyped-up security threats and profit
margins.
Securityfocus and F-Secure in my opinion want an outbreak of social
networking XSS worms, and now someone will be stupid enough to be
infulenced by them and give them what they want.
Securityfocus and F-Secure have clever ways of justifying what they
do, but I guess they under estimate the intelligence of you and me in
the security community not to see through what they are really upto.
While they can get away with it legally, they can't get away from the
moral wrong doings in the mind of the security community.
Both companies are guilty in my personal opinion of _incitement_ to
cause a security incident in relation to XSS worms on social
networking sites, but these companies get away with similar all the
time, so I guess they are allowed to do what they do under some warped
journalistic guidelines.
I know theres no XSS worm threat, Securityfocus know theres no XSS
worm threat, F-Secure know theres no XSS worm threat, and everyone in
the security community knows theres no XSS worm threat, so why talk up
an XSS worm threat when there isn't one? Unless you want one to
happen.
I conclude to say this is proof theres no moral responsibility in
security news journalism anymore, if there ever was any, and this
needs to change and fast.
Theres nothing we can do now, the damage has been done, we can only
hope and pray the worst doesn't occur, a fully fledged malicious XSS
worm on a social networking web site.
n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
